The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 16 Issue 26

Wednesday 20 July 1994

Contents

o IRS
Phil Agre
o Crashed bank teller
Kees Goossens
o HERF Vindication II
Winn Schwartau
o The digital individual
Phil Agre
o Victim on the infobahn
Bill Donahue
o Benefits Agency Smart Payment Card
Shaggy
o Risks of confusing "headlines" with "in depth news"
Bob Estell
o Re: Aircraft Avionic Vulnerabilities
A. Padgett Peterson
o Re: Inmates con jail computer
Amos Shapir
o "Firewalls and Internet Security" by Cheswick/Bellovin
review by Rob Slade
o "The Fool's Run" by Camp
review by Rob Slade
o InfoWar II--First Call for Participation
Mich Kabay
o Info on RISKS (comp.risks)

IRS

Phil Agre <pagre@weber.ucsd.edu>
Wed, 20 Jul 1994 15:36:55 -0700
The 19 August 1994 New York Times carries a long article about hundreds of IRS
(Internal Revenue Service, the American tax collection people) employees being
disciplined for peeking at tax returns that they shouldn't have been.  The
IRS's investigations concluded that the employees' suspicious behavior ranged
from out-and-out fraud to simple curiosity.  The discovered the need for
guidelines about which degrees of wrongdoing merited which punishments.  The
full reference is:

  Robert D. Hershey, Jr., IRS staff is cited in snoopings, New York Times,
  19 July 1994, pages C1, C12.

It's one of those stories that can be invoked as evidence for either of two
contradictory positions: that employees' illicit use of personal files is
a serious problem, or that it's not a real problem since the wrongdoers are
getting caught.  It's clear that private businesses have the same problems
with illicit peeking at personal information.  We might ask whether public
or private organizations have a greater incentive to prevent this kind of
thing.  Since information can be copied readily, it's not like pilfering in
a warehouse, where the organization loses capital in a straightforward sense
and thus has a straightforward interest in preventing it.  An exception would
be information that is leaked to customers who would otherwise purchase the
information from the organization, as opposed to being leaked to people whose
status or purposes would not otherwise permit them to buy the information
through the front door.

Instead, the organization's interest is generally more indirect, having
primarily to do with its reputation and the reputations of its leaders.  In
a society without privacy activists or a free press serving a public that is
aware that its privacy is threatened, I think organizations would have little
incentive to do anything about leaks of personal information.  In the society
we have right now, I would suggest that the IRS has a greater incentive to
prevent leaks of personal information than does a credit bureau or other
private information holder, since it is politically much more practical
for the legislature to make the IRS bureaucrats miserable than to make the
officers of private firms miserable.  Others may disagree, but the important
thing is to understand the mechanisms which create, or *could* create,
organizational interests in genuinely protecting private information.  Fear
of legislation is a good one, but others exist as well.

Phil Agre, UCSD


Crashed bank teller

Kees Goossens <kgg@dcs.ed.ac.uk>
Tue, 19 Jul 94 10:55:35 +0100
[I presume you call a cash till that does not give cash a TELLER?  KGG]
              [Well, we might as well for the purposes of this message.
              It is certainly not an ASKER!  PGN]

Today, in my local branch of Banca di Roma, in central Rome, Italy I
encountered a bank teller which had crashed.  These machines allow you to
obtain bank statements but do not dispense cash.  The display I encountered
contained a number of error messages (file not found, could not create file,
etc) followed by the prompt (A>).  Feeling somewhat guilty, I typed DIR, which
worked and listed a number of executables and some documents.  I looked at one
called "fine", meaning "end" in Italian, which contained instructions for the
shutdown of the system.  At this point I alerted the lady at the counter: "Are
you aware that your system has crashed and that I can modify whatever I want
in the system?".  The latter to emphasise the gravity of the situation; I'm
not sure how much I could have done in practice.  This did indeed produce some
alarm, and I was told that there was a systems person who'd take of the
situation.  I did not see this person arrive during my subsequent wait in the
queue (which this teller is supposed to diminish btw).  As for the cause of
the crash, the computer terminals at the counters were dead at roughly the
same time, perhaps due to a common cause.

Kees Goossens <kgg@dsi.uniroma1.it>       http://www.dcs.ed.ac.uk/staff/kgg
Dip. di Scienze dell'Informazione, Universita di Roma "La Sapienza", Italy

   [A considerable risks would exist if there is a way to crash the
   system intentionally in order to reach that prompt...  Knowing what
   we know about risks, we might suspect that to be the case.  PGN]


HERF Vindication II

"Winn Schwartau" <p00506@psilink.com>
Mon, 18 Jul 94 11:58:19 -0500
As RISKS readers know, I have ruffled more than a few feathers here in the US
and with foreign governments over the issue of HERF (High Energy Radio
Frequency) interference as a potential weapon system. Recently, RISKS readers
have seen mounting evidenced of anomalous electrical interference behavior at
37,000 feet.  Boeing and Apple and others companies have tried to quantify the
phenomenon but EMI and RFI interference is highly elusive.

Maybe the July 18, 1994 issue of the New York Times will shed additional
light.  The FBI mounted a whistle blower sting operation against General
Electric with the assistance of one of their engineers who alleged that the
company was improperly grounding its jet engines to the detriment of safety to
both commercial and military aircraft.  So alarmed was the Air Force One pilot
that he refused to take off from Rome's airport with President Clinton until
he was assured it was safe to do so.

The GE engineer and whistle blower Ian Johnson, said he discovered the
problems with improper engine grounding in 1989 but was subsequently brushed
aside by his concerns.  Engine grounding is critical to proper electrical
performance in the air, and the technique GE uses to insure a quality
connection is called electrical bonding.  Is it any coincidence that laptop
EMI stories began about a year later when protable digital electronics became
popular?

As any electrical engineer knows, any connection will introduce a given amount
of electrical resistance (measured in ohms .  .  .  Ohm's law, remember?) into
a circuit.  The goal is to approach zero resistance in any connection.
Period.  Poor connections not only change the values in the circuit thus
changing the circuit performance, but can also become diode-like and act like
unpredictable rectifiers.  Not good.

According to the article, GE engine's electrical bonding should result in an
added impedance (resistance) of 2.5 milliohms (.0025 ohms) but were found to
in some cases exceed 60,000 milliohms (60 ohms) and that is a lot: off by a
factor of 24,000!  In my former life as a circuit/systems designer, such an
intolerable error would GUARANTEE a failure.

The need for adequate bonding is clear: make sure that stray electrical
signals such as from lightening bolts or from laptop computers or other
consumer electronic devices do not interfere with the safe and reliable
operation of a 100 tons of metal hurtling through the atmosphere.

GE denies it (what else is new!) and there is bound to be a debate as to
whether there really was an intentional cover-up as stated by Mr. Johnson.

In an interesting side note, the FBI had Mr. Johnson wear a wire (a tap
recorder on his person) over a period of 6 months to get the goods on GE.

I guess this case will take over our minds and souls soon enough, on the "All
O.J. Network."


The digital individual

Phil Agre <pagre@weber.ucsd.edu>
Sat, 16 Jul 1994 14:09:31 -0700
An academic journal called _The Information Society_ has just published a
special issue (volume 10, number 2, April-June 1994) entitled "The Digital
Individual".  (I'm the issue's guest editor.)  It includes five articles whose
general theme is that people's activities increasingly cast "shadows" onto
the insides of computers.  As a result, the whole notion of a human individual
is beginning to change.  Everyone has their physical self and surroundings and
possessions, but they also have an elaborate digital aspect to their selves
which follows them around through life.  People use their digital shadows in
a variety of beneficial ways, for example in sending messages to mailing lists
like Risks, but they are often managed and controlled through their digital
shadows as well.  Since the outcome of this ambivalent situation is neither
all-good or all-bad, it helps to make distinctions and put things in contexts,
and that's what the articles in this special issue try to do.  If you would
like to see the full contents and abstracts for the special issue, send a
message that looks like this:

  To: rre-request@weber.ucsd.edu
  Subject: archive send tis-digital

Phil Agre, UCSD

    [Remember to sniff it out.  The shadow nose!  PGN]


Victim on the infobahn

Bill Donahue <74562.3064@compuserve.com>
18 Jul 94 21:08:20 EDT
    I learned the other day that I am a victim on the information
superhighway. It's a long story; I'll relate it in hopes that there are folks
out there who have had similar experiences and can tell me about them.
     My wife and I had been getting about 15 anonymous calls a day for the
past three weeks. The caller would contact us at all hours, and would never
say anything at all. We were quite rattled because, as it happened, the calls
began coming just as I, a freelance journalist, began work on a murder story
and just as we prepared for the birth of our first child. The unknown man on
the other end of the line was, in our haunted imagination, a crazed murderer
after our new child.
    We tried to invoke "Caller ID" to catch our harasser, but this did not
work. Next, we called our phone carrier, US West, and our local sheriff to get
them to look into the matter. We kept a log of all the "harassing" calls, and
asked ourselves who so hated us that they would spend the money to call us via
long distance 15 times a day and hang up each time.
    Finally, the other day we got an answer: A computer software firm had
inadvertently entered our number into a database and prompted one of its
modems to keep trying our number, over and over. The lawyer for the company
called me today to apologize for the disturbance his firm had caused us. He
said, "I guess you were just a victim on the information highway. I'm sorry,"
but I was quite struck how minimal this whole thing was on his end (a few
misstrokes on the keyboard) and how massive the disturbance was on our
end--getting woken in the middle of the night, etc.
    I'm thinking now of writing a magazine article on our experience, and
am posting for two reasons. First, I'd like to hear from people who, like me,
have become "victims on the infobahn," and second, I'd like to get some
broader perspective. Do people know of any groups which monitor modem-caused
problems?  Are you aware of any laws covering such matters, and do you know
how frequently mishaps like mine occur?
    Any imput would be greatly appreciated. Thank you,

 Bill Donahue 74562,3064@CompuServe.com


Benefits Agency Smart Payment Card

Shag the Moose <Shaggy@moose.demon.co.uk>
Thu, 14 Jul 94 23:07:36 GMT
The Benefits Agency (the 65,000 strong government agency responsible for the
administration and payment of welfare benefits in the UK) has announced a new
method of payment system, to be introduced over the next three years
throughout the UK.

Customers will present their personalised smart card to the Post Office, who
will swipe it, do an (as yet unspecified) id check from info held
electronically on the card, and check on-line to the BA office to find out how
much money the person is due.  This will replace Girocheques and order books;
a system of 'valuable paper' which has been essentially unchanged since 1948.
The prototype uses a digitised photo and pressure-pad signature.

As the cards will have no inherent value, rough estimates are that payment-
related benefit fraud will be reduced by approximately 90%.

The BA has some 23,000,000 customers at any given time; approximately half
the adult population of the UK.  Customers will have an alternative to the
smart card, in the form of ACT payments to their bank.

Shaggy


Risks of confusing "headlines" with "in depth news"

Bob Estell - The Ancient Mariner <estell@fidler.chinalake.navy.mil>
Tue, 19 Jul 1994 09:30:26 PDT
One of the several RISKS of using computers is that ordinary people
(i.e., NOT computer gurus) may tend to listen TOO much to computer gurus.
Why?  Probably for reasons akin to why we listen to our doctors or our
auto mechanics: if they are good they know more than we do about something
that is important to us.

OK so far.  But we (too many of us) are spoiled to getting news in "sound
bytes" (or their e-mail or paper memo or slide presentation equivalents).
Too many of us do not appreciate the difference between CNN's Headline News
and PBS's McNeil-Lehrer Report; or their computing equivalents, for example
INFORMATIONWEEK and IEEE COMPUTER.  Both valuable, but very different.

So we hear one week that ISDN (or some other recent technology) has been
revised and is now thriving; and within a month we hear from some other
guru that the same technology has not lived up to its promise.  Promise?
or just hype? not only that, but hype by those same gurus, perhaps a bit
too eager for more clients?  or just not reading each other's stuff?
OK, gurus have only 24 hours a day, and can't keep up either.

In early Aug 94, I retire from 34 years of federal service; and will thus
for a while at least be off the InterNet.  I'll especially miss RISKS
because it is one of the very few forums that is both current and thorough
which is a tribute to its clients and especially its Moderator.

According to some of these same gurus I am an old dog not able to learn
new tricks; but others say that people like me are a valuable resource.
I believe the latter opinion, not only because it is flattering, but also
because the former may misunderstand the difference between 30 years
experience and 3 years repeated 10 times.

   Bob Estell (542 Mary Ann Ave., Ridgecrest, CA 93555)


Re: Aircraft Avionic Vulnerabilities (RISKS-16.25)

A. Padgett Peterson <padgett@tccslr.dnet.mmc.com>
Wed, 20 Jul 94 10:17:20 -0400
I have been wearing hearing aids for over twenty years and on numerous
occasions have allowed me to listen to things most people are "deaf" to.

This is made possible by the inductive pickups in my hearing aids, throwing a
switch turns off the microphone and on the inductive pickup & a whole new
world appears.

Just as an example, once upon a time, many people in a particular section of
the building I worked in began complaining of headaches though no reason could
be found. I happened to walk through the area in inductive mode & began to
hear a beeping. Turned out that a RADAR unit at the nearby airbase had become
misaligned and was sweeping the corner of the building. Realignment cured the
headaches.

Through the years I have had many such incidents of being able to identify
electrical problems this way by characteristic "sounds". The point is that the
interior of a commercial aircraft is one of the "noisiest" environments I have
ever encountered with the 400 hz being almost "deafening" and a myriad of
other jingles, jangles, and hums also apparent.

One cannot but think that there must be almost no shielding of any signals in
a modern aircraft and to me the amazing part is not that instruments are
affected by laptops (low amplitude but I can "hear" them) but that they manage
to operate at all in such an electronic bedlam.

Padgett

ps I have no idea what the spectrum of my hearing aids is, just that they
   have enabled the detection of too many diverse things to be very limited.
   Once they determined that a "haunted" corner in a house was nothing more
   than a power box on the other side of the wall.

     [Ah, Padgett is an auditory canary, similar to the canary the miners
     used to take down with them to provide an early warning on toxic gases!
     Think of it as a *gift*.  PGN]


Re: Inmates con jail computer (Ilieve, RISKS-16.23)

Amos Shapir <amos@cs.huji.ac.il>
17 Jul 1994 13:29:47 +0300
Peter Ilieve <peter@memex.co.uk> writes:

>`The sophisticated computerised security system was designed to end slopping
>out by allowing one prisoner at a time from each landing to go to the toilet
>during the night. [Sanitation is not the UK prison system's strong point,
>prisoners usually have to make do with a bucket in the corner of the
>cell (...)

This incident demonstrates a far more important RISK than just subverting the
computerized system; the real RISK is that such a system was installed to
solve a problem which should have been solved by a better sewage system!

Amos Shapir, The Hebrew Univ. of Jerusalem, Dept. of Comp. Science.
Givat-Ram, Jerusalem 91904, Israel   +972 2 585706,586950  amos@cs.huji.ac.il


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Mon, 18 Jul 1994 01:37:32 -0600 (MDT)
Subject: "Firewalls and Internet Security" by Cheswick/Bellovin

BKFRINSC.RVW  940502

Addison-Wesley Publishing Company
P.O. Box 520
26 Prince Andrew Place
Don Mills, Ontario
M3C 2T8
416-447-5101
fax: 416-443-0948
Heather Rignanesi, Marketing, x340, 73171.657@Compuserve.com
or
Tiffany Moore, Publicity  tiffanym@aw.com
Bob Donegon  bobd@aw.com
John Wait, Editor, Corporate and Professional Publishing johnw@aw.com
Tom Stone, Editor, Higher Education Division  tomsto@aw.com
Philip Sutherland, Schulman Series 74640.2405@compuserve.com
Keith Wollman, Trade Computer Group keithw@aw.com
Lisa Roth Blackman, Trade Computer Group lisaro@aw.com
1 Jacob Way
Reading, MA   01867-9984
800-822-6339
617-944-3700
Fax: (617) 944-7273
5851 Guion Road
Indianapolis, IN   46254
800-447-2226
"Firewalls and Internet Security", Cheswick/Bellovin, 1994, 0-201-63357-4,
U$26.95.
firewall-book@research.att.com ches@research.att.com smb@research.att.com

The Internet has a reputation for a lack of security.  Those books which
mention security on the Internet generally suggest setting up a firewall
machine in order to protect yourself, but stop short of giving anything
resembling details of how to do such a thing.  Cheswick and Bellovin not only
give practical suggestions for firewall construction, they also address other
aspects of Internet security, as well.

Part one gives a basic background, both of security, and of TCP/IP.  If you
didn't think you needed security before, you will after reading chapter two.
Part two details the construction of firewall gateways, as well as
authentication, tools, traps, and cracking tools for use in testing the
integrity of your system.  Part three discusses attacks, and the logging and
analysis, thereof.  The book also looks at legal aspects, secure communication
over insecure links, resources and various helpful information.

Although the book deals specifically with TCP/IP, the concepts, which are the
parts stressed, are applicable to any network-connected systems.  This is
probably destined to become one of the security classics within its specialized
field.

copyright Robert M. Slade, 1994   BKFRINSC.RVW  940502

==============
Vancouver Institute for Research into User Security Canada V7K 2G6
ROBERTS@decus.ca  Robert_Slade@sfu.ca  rslade@cue.bc.ca   p1@CyberStore.ca


<"Rob Slade, Ed. DECrypt & ComNet, VARUG rep, 604-984-4067">
Wed, 20 Jul 1994 13:05:39 -0600 (MDT)
Subject: "The Fool's Run" by Camp

BKFLSRUN.RVW  940428

%A   Camp, John
%C   2801 John Street, Markham, Ontario, Canada   L3R 1B4
%D   1989
%G   0-451-16712-0
%I   Penguin/Signet
%O   U$4.95/C$5.95
%T   "The Fool's Run"

I very strongly suspect that whoever wrote the screenplay for "Sneakers" read
this first.  There is a mob connected corporation.  They wish to do some
espionage.  They hire a tiger team to do it for them.  They try to betray, and
possibly destroy, the tiger team.  The team is then forced to "crack" their
former client.  There is the same paranoia about the National Security Agency.

I don't know who the technical consultant was for this book, but he, she or it
did an even better job here than Captain Crunch did for the movie.  We have
insider information, phone phreaking, database surfing, social engineering and
overconfident systems managers.  Chapter thirteen introduces computer viral
programs, and I had to go back and check the copyright date.  At a time when
the supposedly technical books were printing absolute garbage, this novel had
the concepts down pat (although slightly shaky on the details).

Probably it won't become a classic in either literature or data security, but a
reasonably fun read, and refreshingly accurate technical details.

copyright Robert M. Slade, 1994   BKFLSRUN.RVW  940428

==============
Vancouver Institute for Research into User Security Canada V7K 2G6
ROBERTS@decus.ca  Robert_Slade@sfu.ca  rslade@cue.bc.ca   p1@CyberStore.ca


InfoWar II--First Call for Participation

"Mich Kabay [NCSA Sys_Op]" <75300.3232@compuserve.com>
19 Jul 94 12:22:13 EDT
   [For further information, contact Mich at 75300.3232@compuserve.com.  PGN]

FIRST CALL FOR PARTICIPATION

Second International Conference on Information Warfare:
"Chaos on the Electronic Superhighway"

Conference Date:    Wed 18 January 1995
Conference Locale:  Dorval Airport Hilton Hotel
                    Montreal, Canada

1.   INTRODUCTION

Cultures that depend on information systems are vulnerable to Information
Warfare.  Attacks on data confidentiality, data integrity and data
availability will damage individuals, corporations and other private
organizations, government departments and agencies, nation-states and
supranational bodies.

It is essential to erect legal, organizational, and cultural defences
against information warfare.

The Second International Conference on Information Warfare will focus on panel
discussions of Winn Schwartau's new book, _Information Warfare: Chaos on the
Electronic Superhighway_, published in 1994 by Thunder's Mouth Press (ISBN
1-56025-080-1).

This announcement serves as a request for participation by those wishing to
appear on panels, those wishing to suggest speakers, and others wishing to be
added to a mailing list (electronic and snailmail) for further details as they
develop.

Panelists will be asked to analyze selected portions of _Information Warfare_
and to present refutations or support for the author's statements, assertions,
predictions, warnings and recommendations.

The Conference will serve the interests of information security
specialists and strategic planners from the corporate world, military
and government circles, and academia.  The Press will be permitted
to cover the event, providing opportunities for increased public
awareness of vulnerabilities of the information infrastructure.

The Conference Proceedings will contribute to the national and
international debates about information warfare and the need for
careful planning to avoid disruption by hostile forces as national
and international information highways develop worldwide.

Following recommendations from last year's participants in the First
International Conference on Information Warfare, we have scheduled more free
time for the animated discussion among participants.

Informal discussions will be aided by Special Interest Group signs allowing
people with specific interests to congregate.

The organizers are making a special effort to reach members of the defence
establishments of Canada and the United States.  In order to foster the
greatest degree of serious and productive discussion, room has been reserved
for no more than 100 participants.

2.   PROGRAM:

     07:30-08:30  Registration and Continental Breakfast
     08:30-09:00  Keynote Address:Warfare and InfoSec
     09:00-10:15  Class I InfoWar:  Attacks on Personal Information
     10:15-10:45  Break for informal discussions by topic:
                    Privacy, Cryptography, Laws, Law Enforcement
     10:45-12:00  Class II InfoWar:  Corporate InfoSec
     12:00-13:30  Buffet lunch and informal discussions by sector:
                    Corporate, Government, Military, Academic
     13:30-14:45  Class III InfoWar:  Global InfoSec
     14:45-15:30  Informal discussions by network technology:
                    PCs, LANs, WANs, Internet
     15:30-16:15  General discussions among panelists and other
                    participants
     16:15-16:30  Closing comments

The official language of the Conference is English.

3.   SUBMISSIONS

The Program Committee will select a suitable number of
participants for the panel discussions.  Selection will be based on
subjective judgements of who is likely to offer the most thoughtful
and stimulating expositions and analyses of the topics.

Once panelists have been selected, the Program Committee requests
that they submit a brief written analysis of the topic they agreed to
speak on.  This one- to ten-page document will be published in the
Conference Handbook and will then appear in the Conference
Proceedings along with additional materials added during the
Conference.

Deadline for consideration as a panelist:  30 Sep 1994.

Confirmation of panel participation:  15 Oct 1994.

Deadline for submissions for inclusion in Conference Handbook:
15 Nov 94.

    [Rest deleted.  Write Mich for full text.  PGN]

Please report problems with the web pages to the maintainer

Top